GitLab Duo Prompt Injection and Multiple CVEs Expose Dev Data

GitLab has released urgent security patches for GitLab Community Edition and Enterprise Edition that address a series of vulnerabilities, including a prompt injection flaw in GitLab Duo code review and multiple CVEs enabling XSS, access control bypass and information disclosure. The patched releases 18.5.2, 18.4.4 and 18.3.6 fix issues such as CVE-2025-11224, a high-severity cross-site scripting bug in the Kubernetes proxy, and CVE-2025-11865, an authorization weakness allowing users to remove AI workflows belonging to others. The GitLab Duo prompt injection vulnerability allows hidden instructions in merge request comments to trick the AI assistant into revealing confidential content from private issues, mapping to MITRE ATT&CK technique T1565 (Data Manipulation) and introducing AI-specific data leakage risk in development pipelines. Additional GitLab vulnerabilities broaden the attack surface. CVE-2025-2615 and CVE-2025-7000 permit blocked users to establish GraphQL subscriptions or view sensitive branch names, while CVE-2025-6171 exposes package metadata even when repositories are restricted. CVE-2025-11990 introduces a path traversal bug via crafted branch names, CVE-2025-7736 weakens access control in GitLab Pages OAuth flows and CVE-2025-12983 enables denial-of-service via specially crafted Markdown content. Combined, these issues can allow attackers or malicious insiders to exfiltrate data, disrupt workflows or escalate access without traditional malware. For organizations running self-managed GitLab, the business impact includes exposure of proprietary source code, secrets embedded in CI and CD pipelines and sensitive discussions around vulnerabilities or product roadmaps. AI-assisted code review that can be manipulated via prompt injection increases the likelihood that confidential information will be surfaced to unauthorized users or external tools. Unpatched GitLab instances are also attractive targets for supply chain compromise, where a single CI or CD foothold can impact many downstream services and customers and potentially violate contractual or regulatory obligations. GitLab has already updated GitLab.com and GitLab Dedicated; self-managed customers must upgrade to 18.5.2, 18.4.4 or 18.3.6 and plan for downtime and database migrations. Security teams should restrict GitLab Duo and other AI features to trusted users or projects, tighten RBAC and branch protection rules and enhance monitoring for unusual GraphQL activity, workflow deletions and repository access. Network segmentation, WAF and XSS protections and hardened CI or CD runner configurations provide defense in depth, while regular rotation of tokens, API keys and OAuth credentials limits damage if any GitLab vulnerability is exploited.